CVE-2016-3183 Out-Of-Bounds Read in sycc422_to_rgb function #726

trylab · 2016-03-16T10:05:56Z

AddressSanitizer error message.

==116421==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x633000018c00 
at pc 0x000000529f98 bp 0x7ffe75bda580 sp 0x7ffe75bda578
READ of size 4 at 0x633000018c00 thread T0
    #0 0x529f97 in sycc422_to_rgb openjpeg/src/bin/common/color.c:148:33
    #1 0x527625 in color_sycc_to_rgb openjpeg/src/bin/common/color.c:286:3
    #2 0x4f1f5b in main openjpeg/src/bin/jp2/opj_decompress.c:1375:4
    #3 0x7f14c593182f in __libc_start_main /build/glibc-GKVZIf/glibc-2.23/csu/../csu/libc-start.c:291
    #4 0x41a978 in _start (openjpeg/bin/opj_decompress+0x41a978)

0x633000018c00 is located 0 bytes to the right of 99328-byte region [0x633000000800,0x633000018c00)
allocated by thread T0 here:
    #0 0x4bac30 in calloc (openjpeg/bin/opj_decompress+0x4bac30)
    #1 0x7f14c722d764 in opj_calloc openjpeg/src/lib/openjp2/opj_malloc.c:203:10
    #2 0x7f14c71a0e7a in opj_j2k_update_image_data openjpeg/src/lib/openjp2/j2k.c:8212:62
    #3 0x7f14c71a0886 in opj_j2k_decode_tiles openjpeg/src/lib/openjp2/j2k.c:9752:23
    #4 0x7f14c71693fd in opj_j2k_exec openjpeg/src/lib/openjp2/j2k.c:7341:41
    #5 0x7f14c717c44e in opj_j2k_decode openjpeg/src/lib/openjp2/j2k.c:9943:15
    #6 0x7f14c71d4356 in opj_decode openjpeg/src/lib/openjp2/openjpeg.c:412:10
    #7 0x4f1627 in main openjpeg/src/bin/jp2/opj_decompress.c:1330:10
    #8 0x7f14c593182f in __libc_start_main /build/glibc-GKVZIf/glibc-2.23/csu/../csu/libc-start.c:291

SUMMARY: AddressSanitizer: heap-buffer-overflow openjpeg/src/bin/common/color.c:148:33 in sycc422_to_rgb
Shadow bytes around the buggy address:
  0x0c667fffb130: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c667fffb140: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c667fffb150: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c667fffb160: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c667fffb170: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c667fffb180:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c667fffb190: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c667fffb1a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c667fffb1b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c667fffb1c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c667fffb1d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==116421==ABORTING

Credit to Ke Liu of Tencent's Xuanwu LAB.

The text was updated successfully, but these errors were encountered:

boxerab · 2016-03-31T03:42:19Z

kdu_show crashes when trying to read this image.

422 Images with an odd x0 lead to subsampled component starting at the 2nd column. That is offset = comp->dx * comp->x0 - image->x0 = 1 Update uclouvain#726

42x Images with an odd x0/y0 lead to subsampled component starting at the 2nd column/line. That is offset = comp->dx * comp->x0 - image->x0 = 1 Update uclouvain#726

Update uclouvain/openjpeg#725 Update uclouvain/openjpeg#726

Update uclouvain#725 Update uclouvain#726

Update uclouvain/openjpeg#725 Update uclouvain/openjpeg#726

mayeut mentioned this issue Apr 21, 2016

Fix Out-Of-Bounds Read in sycc42x_to_rgb function #745

Merged

mayeut added bug Priority-Critical labels Apr 23, 2016

mayeut closed this as completed in 15f081c Apr 29, 2016

mayeut added this to the OPJ v2.1.1 milestone Apr 29, 2016

mayeut added a commit to mayeut/openjpeg-data that referenced this issue Apr 30, 2016

Add non-regression data for recent issues

92636ed

Update uclouvain/openjpeg#725 Update uclouvain/openjpeg#726

mayeut added a commit to mayeut/openjpeg that referenced this issue Apr 30, 2016

Add tests for recent issues

4f11e89

Update uclouvain#725 Update uclouvain#726

boxerab pushed a commit to GrokImageCompression/grok that referenced this issue May 1, 2016

Add tests for recent issues

dee75cb

Update uclouvain/openjpeg#725 Update uclouvain/openjpeg#726

trylab changed the title ~~Out-Of-Bounds Read in sycc422_to_rgb function~~ CVE-2016-3183 Out-Of-Bounds Read in sycc422_to_rgb function Sep 13, 2016

boxerab pushed a commit to GrokImageCompression/grok that referenced this issue Apr 18, 2020

Add tests for recent issues

7f2a1b6

Update uclouvain/openjpeg#725 Update uclouvain/openjpeg#726

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

CVE-2016-3183 Out-Of-Bounds Read in sycc422_to_rgb function #726

CVE-2016-3183 Out-Of-Bounds Read in sycc422_to_rgb function #726

trylab commented Mar 16, 2016 •

edited

Loading

boxerab commented Mar 31, 2016

CVE-2016-3183 Out-Of-Bounds Read in sycc422_to_rgb function #726

CVE-2016-3183 Out-Of-Bounds Read in sycc422_to_rgb function #726

Comments

trylab commented Mar 16, 2016 • edited Loading

boxerab commented Mar 31, 2016

trylab commented Mar 16, 2016 •

edited

Loading